From 03c4a4ffb989460f0c07567535892b5f5479df6d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michael=20Br=C3=BCning?= <michael.bruning@qt.io>
Date: Tue, 26 Mar 2019 13:35:54 +0100
Subject: [Backport] Security bug 905509 (11/13)

Manual and partial backport of original patch by Antoine Labour
<piman@chromium.org>:
Use uint32_t instead of size_t as appropriate in RasterImplementation

Some size_t where silently converted to 32 bits, which could cause
issues in extreme cases.

Bug: 905509
Change-Id: Id455e61a996ae3a601daeb9d433a24b22ac98407
Reviewed-on: https://chromium-review.googlesource.com/c/1404096
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
---
 .../command_buffer/client/raster_implementation.cc   | 19 ++++++++++---------
 .../command_buffer/client/raster_implementation.h    |  2 +-
 .../client/raster_implementation_unittest.cc         | 20 ++++++++++----------
 3 files changed, 21 insertions(+), 20 deletions(-)

diff --git a/chromium/gpu/command_buffer/client/raster_implementation.cc b/chromium/gpu/command_buffer/client/raster_implementation.cc
index 58e11efb3f0..effa86ad402 100644
--- a/chromium/gpu/command_buffer/client/raster_implementation.cc
+++ b/chromium/gpu/command_buffer/client/raster_implementation.cc
@@ -128,7 +128,7 @@ class TransferCacheSerializeHelperImpl
 // Helper to copy PaintOps to the GPU service over the transfer buffer.
 class PaintOpSerializer {
  public:
-  PaintOpSerializer(size_t initial_size,
+  PaintOpSerializer(uint32_t initial_size,
                     RasterImplementation* ri,
                     cc::DecodeStashingImageProvider* stashing_image_provider,
                     cc::TransferCacheSerializeHelper* transfer_cache_helper,
@@ -161,6 +161,7 @@ class PaintOpSerializer {
       size = op->Serialize(buffer_ + written_bytes_, free_bytes_, options);
     }
     DCHECK_LE(size, free_bytes_);
+    DCHECK(base::CheckAdd<uint32_t>(written_bytes_, size).IsValid());
 
     written_bytes_ += size;
     free_bytes_ -= size;
@@ -193,8 +194,8 @@ class PaintOpSerializer {
   cc::TransferCacheSerializeHelper* const transfer_cache_helper_;
   ClientFontManager* font_manager_;
 
-  size_t written_bytes_ = 0;
-  size_t free_bytes_ = 0;
+  uint32_t written_bytes_ = 0;
+  uint32_t free_bytes_ = 0;
 
   DISALLOW_COPY_AND_ASSIGN(PaintOpSerializer);
 };
@@ -1040,7 +1041,7 @@ void* RasterImplementation::MapFontBuffer(size_t size) {
   return font_mapped_buffer_->address();
 }
 
-void RasterImplementation::UnmapRasterCHROMIUM(GLsizeiptr written_size) {
+void RasterImplementation::UnmapRasterCHROMIUM(uint32_t written_size) {
   if (written_size < 0) {
     SetGLError(GL_INVALID_VALUE, "glUnmapRasterCHROMIUM",
                "negative written_size");
@@ -1058,9 +1059,9 @@ void RasterImplementation::UnmapRasterCHROMIUM(GLsizeiptr written_size) {
   }
   raster_mapped_buffer_->Shrink(written_size);
 
-  GLuint font_shm_id = 0u;
-  GLuint font_shm_offset = 0u;
-  GLsizeiptr font_shm_size = 0u;
+  uint32_t font_shm_id = 0u;
+  uint32_t font_shm_offset = 0u;
+  uint32_t font_shm_size = 0u;
   if (font_mapped_buffer_) {
     font_shm_id = font_mapped_buffer_->shm_id();
     font_shm_offset = font_mapped_buffer_->offset();
@@ -1187,8 +1188,8 @@ void RasterImplementation::RasterCHROMIUM(const cc::DisplayItemList* list,
 
   // TODO(enne): Tune these numbers
   // TODO(enne): Convert these types here and in transfer buffer to be size_t.
-  static constexpr unsigned int kMinAlloc = 16 * 1024;
-  unsigned int free_size = std::max(GetTransferBufferFreeSize(), kMinAlloc);
+  static constexpr uint32_t kMinAlloc = 16 * 1024;
+  uint32_t free_size = std::max(GetTransferBufferFreeSize(), kMinAlloc);
 
   // This section duplicates RasterSource::PlaybackToCanvas setup preamble.
   cc::PaintOpBufferSerializer::Preamble preamble;
diff --git a/chromium/gpu/command_buffer/client/raster_implementation.h b/chromium/gpu/command_buffer/client/raster_implementation.h
index 5acec409569..3dff8709f51 100644
--- a/chromium/gpu/command_buffer/client/raster_implementation.h
+++ b/chromium/gpu/command_buffer/client/raster_implementation.h
@@ -164,7 +164,7 @@ class RASTER_EXPORT RasterImplementation : public RasterInterface,
                                  GLuint64* params);
 
   void* MapRasterCHROMIUM(GLsizeiptr size);
-  void UnmapRasterCHROMIUM(GLsizeiptr written_size);
+  void UnmapRasterCHROMIUM(uint32_t written_size);
 
   // ClientFontManager::Client implementation.
   void* MapFontBuffer(size_t size) override;
diff --git a/chromium/gpu/command_buffer/client/raster_implementation_unittest.cc b/chromium/gpu/command_buffer/client/raster_implementation_unittest.cc
index 76df1d97d28..d2de7d0fa0c 100644
--- a/chromium/gpu/command_buffer/client/raster_implementation_unittest.cc
+++ b/chromium/gpu/command_buffer/client/raster_implementation_unittest.cc
@@ -67,10 +67,10 @@ class SizedResultHelper {
 class RasterImplementationTest : public testing::Test {
  protected:
   static const uint8_t kInitialValue = 0xBD;
-  static const int32_t kNumCommandEntries = 500;
-  static const int32_t kCommandBufferSizeBytes =
+  static const uint32_t kNumCommandEntries = 500;
+  static const uint32_t kCommandBufferSizeBytes =
       kNumCommandEntries * sizeof(CommandBufferEntry);
-  static const size_t kTransferBufferSize = 512;
+  static const uint32_t kTransferBufferSize = 512;
 
   static const GLint kMaxCombinedTextureImageUnits = 8;
   static const GLint kMaxTextureImageUnits = 8;
@@ -253,7 +253,7 @@ class RasterImplementationTest : public testing::Test {
     memset(ring_buffer->memory(), kInitialValue, ring_buffer->size());
   }
 
-  size_t MaxTransferBufferSize() {
+  uint32_t MaxTransferBufferSize() {
     return transfer_buffer_->MaxTransferBufferSize();
   }
 
@@ -261,15 +261,15 @@ class RasterImplementationTest : public testing::Test {
     gl_->mapped_memory_->set_max_allocated_bytes(limit);
   }
 
-  ExpectedMemoryInfo GetExpectedMemory(size_t size) {
+  ExpectedMemoryInfo GetExpectedMemory(uint32_t size) {
     return transfer_buffer_->GetExpectedMemory(size);
   }
 
-  ExpectedMemoryInfo GetExpectedResultMemory(size_t size) {
+  ExpectedMemoryInfo GetExpectedResultMemory(uint32_t size) {
     return transfer_buffer_->GetExpectedResultMemory(size);
   }
 
-  ExpectedMemoryInfo GetExpectedMappedMemory(size_t size) {
+  ExpectedMemoryInfo GetExpectedMappedMemory(uint32_t size) {
     ExpectedMemoryInfo mem;
 
     // Temporarily allocate memory and expect that memory block to be reused.
@@ -331,9 +331,9 @@ class RasterImplementationManualInitTest : public RasterImplementationTest {
 // GCC requires these declarations, but MSVC requires they not be present
 #ifndef _MSC_VER
 const uint8_t RasterImplementationTest::kInitialValue;
-const int32_t RasterImplementationTest::kNumCommandEntries;
-const int32_t RasterImplementationTest::kCommandBufferSizeBytes;
-const size_t RasterImplementationTest::kTransferBufferSize;
+const uint32_t RasterImplementationTest::kNumCommandEntries;
+const uint32_t RasterImplementationTest::kCommandBufferSizeBytes;
+const uint32_t RasterImplementationTest::kTransferBufferSize;
 const GLint RasterImplementationTest::kMaxCombinedTextureImageUnits;
 const GLint RasterImplementationTest::kMaxTextureImageUnits;
 const GLint RasterImplementationTest::kMaxTextureSize;
-- 
cgit v1.2.1